Bound to turn up. The adventures of an early adopter.

Main Menu

DDoS: The Democracy of Crime

My SOURCE Seattle presentation on a Heart of Darkness style journey through startups, carriers, DDoS, and record setting disruptions by people who implicitly admit to their actions and somehow avoid consequences.

Introduced to some edgy teens who had a 500k/yr basement op doing BGP anycast style ddos mitigation (or rather, managing a reselling of one) beating out the biggest businesses where fixed costs were already carried by an existing client base.

Some founder friction but still seemed promising based on the lack of movement in carrier space since they didn’t want to solve these problems and seemed to have unlimited resources to throw at problems they don’t want to solve.

If you haven’t been around a while, DDoS has been a thing for a long time and many construct whole intellectually dishonest philosophies for why they should be allowed to wreck internet ecosystems. They always boil down to a baseless claim of why it’s justified to commit a huge pile of crimes and wreck carnage across whole geographies of infrastructure because “I want.”

Since these new attacks are employing fully stateful legitimate traffic and not amplification attacks or crafted attacks exploiting old busted junk in protocols themselves, but rather, new busted junk that has been irresponsibly shipped because there is no such thing as software liability and likely never will, this is now the new normal

Having a competitive advantage of access to c2 data certainly makes the job of defending against the attacks from that same c2 a lot easier.

Users reported sporadic problems reaching several websites, including Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times.

Think about what the ability to undetectably MitM partner networks does to third party compliance and network security controls.

Unless you have your own Dyn-like BGP global observatory collecting Tbyes per day from globally distributed sensors continually performing traceroutes and have somehow automated alerting to malicious changes worldwide, you basically won’t know if your internet links are being hijacked definitively.

Fallout from record-setting global IoT DDoS:

No news

No charges

No convictions

No real attention of any kind as yet even though various rich and powerful people were personally affected and global clouds/nets experienced significant downtime

Other possibilities:

Leveraging mitigated ASNs to attack others (or whoever) when not authorized for this purpose. The ability to differentiate a legit BGP announcement and an illegitimate one has not been something that peering has wanted to do. There are many reasons for this.

Conclusion: if your crime and tactics is very technical in nature, you can expect to be ignored indefinitely.

[[ Poll: does anyone here understand how BGP or other high level internet routing protocols work? What about peering relationships and how those interact with nation-state politics? ]]

Nothing is off the table in word or action:

Slander and harassment in relationship management

DDoS and botnet attacks as a sales strategy

Business/wire fraud without awareness of exposure and consequences; all tainted equity and business value essentially worthless or worse

Running business processes using rootshells on containers deployed on bulletproof hosting on hijacked IP space, managed via tor, and paid with btc

No decent contracts or formalized relationships (and no awareness of why this is a bad thing)

The list goes on

Intermixing of crime and business based on Dyn’s report of their activities and similar reporting:

DDoS of prospective clients while in the RFP process to force sales

Trolling the competition at 3am using fake documents and fake business identities instead of competitive market analysis

As per usual, hiring of employees and vendors focuses on the wrong things.

People are already tired of waiting for someone to address the ecosystem and have started destroying that low-hanging fruit creating, at long last, a market force of some kind. An imperfect one, but making internet hardware nonfunctional gets things done no matter the political hand-waving.

What happens when it’s no ones job to fix?
What if people responsible for these problems just let it go on for a decade(s) without any appreciable action? (because that is what has occurred)

Network effects of this broken bitrotting ecosystem:

Brickerbots

Vigilantism

Wrecked businesses / firesale equity

Bulletproof hosting

Fronts for crime rings and subcontracted organized crime (highly optimized markets) that should be treated as a threat to national security/sovereignty

So if you can’t count on legit enterprise to fix problems and the upstarts have no integrity and will burn down your life for a dollar, what then?

Infrastructure as code

Contingency plans

Automation of both

Doing nothing at all and having no viable plans whatsoever for business continuity and incident response isn’t a good idea unless your business doesn’t matter to anyone.

You can automate contingency plans for being attacked. You can leverage well defended and geospatially diverse global clouds. You can use private cloud options that are not internet routed like Azure’s government cloud stuff that has its own cross continental private fiber and is only accessible from internetwork exchange pops. It is, by design, immune from BGP hijacking and internet-based DDoS because it presents no threat surface from the internet.

Multinationals are building their own private internet because those running the present internet are not solving problems.

Deployment automation also has the nice side effect of having the age of infrastructure being hours or days old instead of maintaining unlimited amounts of bitrot and legacy exposures in production environments, the leading cause of breach and data exfiltration.

The status-quo of legacy trash becomes a colossal equity-destroying exposure of risk management and doing nothing as a plan becomes immediately and obviously untenable.